On 7/15/10 7:46 AM, Luis Neves wrote: > Hello, > > Iam using the > -CAfile /etc/pki/tls/certs/ca-bundle.crt, > and the CA certificate is appended to this list, shouldnt this work ok? > > > the OCSP responder comes from the lneves.pem certificate itself, so it > must be ok, I presume > > Luis Just because a certificate specifies an authorityInformationAccess specifier doesn't mean that that specified aIA will necessarily know about the certificate.
You left a lot of information out of the 'etc etc etc etc' part -- including all of the certificate extensions, including such things as "authorityInformationAccess'. What you need to do is ensure that the CA that issued the OCSP responder's certificate is in ca-bundle.txt. The first secton, the "Unknown", will still state 'unknown' (and you will have to ask the CA why it's returning 'unknown status'. The 'unable to get local issuer certificate' error will go away. You must coordinate with the CA. Otherwise, you're not going to get an interoperable cert. -Kyle H
smime.p7s
Description: S/MIME Cryptographic Signature
